371d46edebc23cf2c04296df121f9d31a2f79530d473c4de0ff3736a1e2d6e5b

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 00:12

Target

371d46edebc23cf2c04296df121f9d31a2f79530d473c4de0ff3736a1e2d6e5b.dll
Size

800KB
MD5

74692eff0cae959b2e6e74248d0df98a
SHA1

5610a98dd69592bba0733ca42db1ee8bf56e2534
SHA256

371d46edebc23cf2c04296df121f9d31a2f79530d473c4de0ff3736a1e2d6e5b
SHA512

2fe300a42244be1de2e8bcf7a709f0ba94ed695d412e33293a3b64eb183e8726b7cc4d8f699a856e7d33458ed6236ceec81e8a1d5a262222947a23023796abce
SSDEEP

12288:PPTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5UjuK2i82j:PPSH4hQP/RN2fLqNK9QV4qBH1yI

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
728	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x0009000000022df7-134.dat	upx
behavioral2/files/0x0009000000022df7-135.dat	upx
behavioral2/memory/728-137-0x0000000000400000-0x000000000048F000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4956	728	WerFault.exe	84

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 948	1328	rundll32.exe	83
PID 1328 wrote to memory of 948	1328	rundll32.exe	83
PID 1328 wrote to memory of 948	1328	rundll32.exe	83
PID 948 wrote to memory of 728	948	rundll32.exe	84
PID 948 wrote to memory of 728	948	rundll32.exe	84
PID 948 wrote to memory of 728	948	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\371d46edebc23cf2c04296df121f9d31a2f79530d473c4de0ff3736a1e2d6e5b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\371d46edebc23cf2c04296df121f9d31a2f79530d473c4de0ff3736a1e2d6e5b.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 264
      4⤵
      Program crash
      PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 728 -ip 728
1⤵
PID:4916

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
137KB

MD5
b82a555fd9de0d736a97cd10a7e100e1

SHA1
48e4c1531efdc1ad03d00305c374c79bfebe2c23

SHA256
e9a820755860e1c036b769a45dd9302984bcd759de69bcdbdd25515ddad867e8

SHA512
5cf8df4c6bfc2008cdc3a53887945ac23fd3fba348b6dc1ca44f421cfcdf1fafa83d0519a4c6fa37280f2eb3680fe982c2e918ae0abaec434f498d9656e28a63

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
137KB

MD5
b82a555fd9de0d736a97cd10a7e100e1

SHA1
48e4c1531efdc1ad03d00305c374c79bfebe2c23

SHA256
e9a820755860e1c036b769a45dd9302984bcd759de69bcdbdd25515ddad867e8

SHA512
5cf8df4c6bfc2008cdc3a53887945ac23fd3fba348b6dc1ca44f421cfcdf1fafa83d0519a4c6fa37280f2eb3680fe982c2e918ae0abaec434f498d9656e28a63

Download Submit
memory/728-137-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/948-136-0x0000000074F20000-0x0000000074FEA000-memory.dmp

Filesize
808KB

Download